Thematic investing in Cyber

Regulation as driver of demand

We take a demand-led investment approach. With that demand intelligence, we can seek out innovators building disruptive solutions to those needs (ideally, based on first-hand experience as an owner of the relevant problem). Obviously, our network of CISOs (Chief Information Security Officers) and other security professionals helps inform this view.

But we also seek a broader viewpoint. Increasingly, particularly as regards future demand cycles, it is important to understand the existing and evolving regulatory landscape in which the target customers of our (existing and future) portfolio operate. Regulation can be a powerful catalyst for innovation. It can expand the customer base (beyond those adopting best practice to an entire industry); transforming a “nice-to-have” solution into a “must-have” part of the technology stack.

We are at a crucial point in the regulatory cycle for cyber security. With the recent extension of a number of requirements to new sectors, and the impending introduction of further laws and regulations over the coming years, now is an important time to understand these incoming frameworks and the obligations they place on different sectors and their participants. For example, some of the incoming regulations extend the scope of existing requirements, such as the NIS 2 Directive, which requires that in-scope firms include a focus on supply chains when considering their cyber posture. This will inevitably increase the expectations and obligations on suppliers to demonstrate their own cyber resilience, when no such requirements may have previously applied to them. This is a classic example of regulation ‘infecting’ firms outside of the immediate scope of a law, requiring regulated firms to have oversight of unregulated ones — regulation by proxy, if you will. And this form of regulation is very infectious (every supplier listens to the demands of their biggest customers).

Analysis of these evolving regulations has helped us map a number of demand themes (investment opportunities) that supplement organic market demand. In this article we highlighting key legislative initiatives and some of their requirements.

Five key regulatory drivers of demand in cyber

We see the following five legislative initiatives as key sources of the wave of regulation coming to industry. These are European initiatives, but each has or will have a UK equivalent that we expect to closely track the provisions or principles set out in their European counterparts. As with GDPR, we expect Europe (and the UK) to continue to lead the way on these initiatives. Although one cannot ignore other markets (in particular the US), start-ups in Europe and the UK looking to solve these regulatory challenges have an innate advantage in their proximity to customers facing those challenges sooner.

NIS 2 Directive

Due to come into force in October 2024, this is an update to and expansion of the existing Network and Information Systems Directive of 2016. This regulation applies to “essential” and “important” organisations, with the definition of each meaning that significantly more firms are caught by the requirements (including energy, utilities and manufacturing). Arguably, this initiative is more evolution, than revolution, but it does place increasing levels of responsibility and liability at board level (with significantly enhanced enforcement powers for regulators) that will garner deserved attention. As mentioned, there is a focus on supply chain cyber resilience and an increased focus on monitoring and reporting requirements for in-scope firms.

In response to NIS 2, one area where we expect to see an increased need for technology solutions is enterprise-wide systems mapping cyber risk, improving visibility for, and oversight by, board of directors. Over the medium term, the the complex security needs of historically offline and analog sectors significantly expands the customer base for operational technology (OT) security solutions.

DORA

The Digital Operational Resilience Act is a sector-specific implementation and expansion of the NIS 2 Directive. Where DORA and NIS 2 both apply, DORA should prevail. This Act is expected to come into force in January 2025. Applying specifically to the financial services businesses, it also includes certain ICT providers to that sector. Key requirements are centred on governance and control frameworks, incident management, implementation of digital testing programs, and management of third-party risk — in each case specifically tailored to the requirements and context of financial services. Not to be outdone by NIS 2, DORA also includes the potential for criminal and administrative penalties for non-compliance.

Opportunities that arise from DORA’s requirements include technologies that: increase the scale and efficiency of cyber security testing and assurance programs; assist with supply chain management (in the sense of understanding the cyber resilience of suppliers and mapping that risk in a holistic way, as well as programmatic testing of software supply chain vulnerabilities); and next generation incident detection, management and response platforms (with intelligent scaling and prioritisation of an ever-expanding flow of alerts).

Cyber Resilience Act

Over the medium term the Cyber Resilience Act (the Product Security Act in the UK) is going to have a significant impact on manufacturers, importers and distributors. Due to be in force in 2026 or 2027, this Act extends to software and hardware products with “digital elements”. At its core, this Act places obligations on those three groups of industry participants to reduce vulnerabilities and maintain a cyber posture management system for the life-cycle of those products.

Of particular interest here are technologies that help OEMs improve the security of their products in production, and/or manage security monitoring across the product life-cycle (with the latter providing interesting longer-term business models for the right solutions).

Cyber Security Act

This Act, already in force, is being amended to introduce certification requirements for managed security service providers (MSSPs). A logical expansion of the original scope, this will have a not insignificant compliance impact on this sector, where a large number of small to medium-sized businesses form the bulk of its participants.

AI Act

Perhaps obvious given the current hype around artificial intelligence and machine learning technologies, the AI Act is on everyone’s radar. The European (and UK) regulations are expected to be much more fulsome than the recent Executive Order announced by the Biden administration in the US. The Act will introduce a framework for AI cyber practices (FAICP), which is an acronym we expected to become very familiar with over the coming decade…

As an entirely new category, ‘cyber for AI’ is an evolving space that is moving quickly. We see exciting opportunities right across the AI product life-cycle: from the adoption of secured-by-design principles in development, to assurance processes before deployment, to threat detection and response once live.

Conclusion

The demands of regulation are important inputs into our thematic approach to early-stage investing in cyber security. Right now, and particularly in the UK and Europe, the wave of new and evolving cyber regulations is creating an additional opportunity set for cyber founders to attack as well as accelerating existing needs. Technology will be an important part of the solution to these impending challenges, and we look forward to helping our portfolio and their customers to meet them.

Osney Capital

Osney Capital is a sector specialist venture capital firm, focussed exclusively on the early-stage Cyber sector in the UK. Everything that we do is geared around supporting UK Cyber founders and companies that we invest in, during the very early stages of their growth.

For more information on our approach and how to apply for funding, please visit www.osneycapital.com or contact paul.wilkes@osneycapital.com.

Thematic investing in Cyber was originally published in Osney Capital on Medium, where people are continuing the conversation by highlighting and responding to this story.